Don't use hard-coded user/group names and ids

Signed-off-by: Jan Dubois <[email protected]>

Author: jandubois

pkg/networks/commands.go

@@ -2,6 +2,7 @@ package networks
 
 import (
 	"fmt"
+	"github.com/lima-vm/lima/pkg/osutil"
 	"github.com/lima-vm/lima/pkg/store/dirnames"
 )
 
@@ -33,24 +34,21 @@ func (config *NetworksConfig) LogFile(name, daemon, stream string) string {
 	return fmt.Sprintf("%s/%s_%s.%s.log", networksDir, name, daemon, stream)
 }
 
-func (config *NetworksConfig) DaemonUser(daemon string) string {
+func (config *NetworksConfig) User(daemon string) (osutil.User, error) {
 	switch daemon {
 	case Switch:
-		return "daemon"
-	case VMNet:
-		return "root"
-	}
-	panic("daemonuser")
-}
-
-func (config *NetworksConfig) DaemonGroup(daemon string) string {
-	switch daemon {
-	case Switch:
-		return config.Group
+		user, err := osutil.LookupUser("daemon")
+		if err != nil {
+			return user, err
+		}
+		group, err := osutil.LookupGroup(config.Group)
+		user.Group = group.Name
+		user.Gid = group.Gid
+		return user, err
 	case VMNet:
-		return "wheel"
+		return osutil.LookupUser("root")
 	}
-	panic("daemongroup")
+	return osutil.User{}, fmt.Errorf("daemon %q not defined", daemon)
 }
 
 func (config *NetworksConfig) MkdirCmd() string {

pkg/networks/reconcile/reconcile.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/lima-vm/lima/pkg/networks"
+	"github.com/lima-vm/lima/pkg/osutil"
 	"github.com/lima-vm/lima/pkg/store"
 	"github.com/lima-vm/lima/pkg/store/dirnames"
 	"github.com/sirupsen/logrus"
@@ -98,9 +99,13 @@ func makeVarRun(config *networks.NetworksConfig) error {
 		// should never happen
 		return fmt.Errorf("could not retrieve stat buffer for %q", config.Paths.VarRun)
 	}
-	if fi.Mode()&020 == 0 || stat.Gid != networks.DaemonGID {
+	daemon, err := osutil.LookupUser("daemon")
+	if err != nil {
+		return err
+	}
+	if fi.Mode()&020 == 0 || stat.Gid != daemon.Gid {
 		return fmt.Errorf("%q doesn't seem to be writable by the daemon (gid:%d) group",
-			config.Paths.VarRun, networks.DaemonGID)
+			config.Paths.VarRun, daemon.Gid)
 	}
 	return nil
 }
@@ -116,8 +121,12 @@ func startDaemon(config *networks.NetworksConfig, ctx context.Context, name, dae
 	if err := os.MkdirAll(networksDir, 0755); err != nil {
 		return err
 	}
+	user, err := config.User(daemon)
+	if err != nil {
+		return err
+	}
 
-	args := []string{"--user", config.DaemonUser(daemon), "--group", config.DaemonGroup(daemon), "--non-interactive"}
+	args := []string{"--user", user.User, "--group", user.Group, "--non-interactive"}
 	args = append(args, strings.Split(config.StartCmd(name, daemon), " ")...)
 	cmd := exec.CommandContext(ctx, "sudo", args...)
 	// set directory to a path the daemon user has read access to because vde_switch calls getcwd() which
@@ -193,7 +202,11 @@ func stopNetwork(config *networks.NetworksConfig, name string) error {
 			if err := validateConfig(config); err != nil {
 				return err
 			}
-			err := sudo(config.DaemonUser(daemon), config.DaemonGroup(daemon), config.StopCmd(name, daemon))
+			user, err := config.User(daemon)
+			if err != nil {
+				return err
+			}
+			err = sudo(user.User, user.Group, config.StopCmd(name, daemon))
 			if err != nil {
 				return err
 			}

pkg/networks/sudoers.go

@@ -31,9 +31,13 @@ func Sudoers() (string, error) {
 		sb.WriteRune('\n')
 		sb.WriteString(fmt.Sprintf("# Manage %q network daemons\n", name))
 		for _, daemon := range []string{Switch, VMNet} {
+			user, err := config.User(daemon)
+			if err != nil {
+				return "", err
+			}
 			sb.WriteRune('\n')
 			sb.WriteString(fmt.Sprintf("%%%s ALL=(%s:%s) NOPASSWD:NOSETENV: \\\n",
-				config.Group, config.DaemonUser(daemon), config.DaemonGroup(daemon)))
+				config.Group, user.User, user.Group))
 			sb.WriteString(fmt.Sprintf("    %s, \\\n", config.StartCmd(name, daemon)))
 			sb.WriteString(fmt.Sprintf("    %s\n", config.StopCmd(name, daemon)))
 		}
@@ -50,8 +54,11 @@ func (config *NetworksConfig) passwordLessSudo() error {
 	// Verify that user/groups for both daemons work without a password, e.g.
 	// %admin ALL = (ALL:ALL) NOPASSWD: ALL
 	for _, daemon := range []string{Switch, VMNet} {
-		cmd = exec.Command("sudo", "--user", config.DaemonUser(daemon),
-			"--group", config.DaemonGroup(daemon), "--non-interactive", "true")
+		user, err := config.User(daemon)
+		if err != nil {
+			return err
+		}
+		cmd = exec.Command("sudo", "--user", user.User, "--group", user.Group, "--non-interactive", "true")
 		if err := cmd.Run(); err != nil {
 			return fmt.Errorf("failed to run %v: %w", cmd.Args, err)
 		}

pkg/networks/validate.go

@@ -9,6 +9,8 @@ import (
 	"reflect"
 	"strings"
 	"syscall"
+
+	"github.com/lima-vm/lima/pkg/osutil"
 )
 
 func (config *NetworksConfig) Validate() error {
@@ -48,12 +50,6 @@ func findBaseDirectory(path string) string {
 	return path
 }
 
-const (
-	RootUID   = 0
-	WheelGID  = 0
-	DaemonGID = 1
-)
-
 func validatePath(path string, allowDaemonGroupWritable bool) error {
 	if path == "" {
 		return nil
@@ -82,20 +78,28 @@ func validatePath(path string, allowDaemonGroupWritable bool) error {
 		// should never happen
 		return fmt.Errorf("could not retrieve stat buffer for %q", path)
 	}
-	if stat.Uid != RootUID {
-		return fmt.Errorf(`%s %q is not owned by root (uid: %d), but by uid %d`, file, path, RootUID, stat.Uid)
+	root, err := osutil.LookupUser("root")
+	if err != nil {
+		return err
+	}
+	if stat.Uid != root.Uid {
+		return fmt.Errorf(`%s %q is not owned by %q (uid: %d), but by uid %d`, file, path, root.User, root.Uid, stat.Uid)
 	}
 	if allowDaemonGroupWritable {
-		if fi.Mode()&020 != 0 && stat.Gid != WheelGID && stat.Gid != DaemonGID {
-			return fmt.Errorf(`%s %q is group-writable and group is neither "wheel" (gid: %d) nor "daemon" (guid: %d), but is gid: %d`,
-				file, path, WheelGID, DaemonGID, stat.Gid)
+		daemon, err := osutil.LookupUser("daemon")
+		if err != nil {
+			return err
+		}
+		if fi.Mode()&020 != 0 && stat.Gid != root.Gid && stat.Gid != daemon.Gid {
+			return fmt.Errorf(`%s %q is group-writable and group is neither %q (gid: %d) nor %q (gid: %d), but is gid: %d`,
+				file, path, root.User, root.Gid, daemon.User, daemon.Gid, stat.Gid)
 		}
-		if fi.Mode().IsDir() && fi.Mode()&1 == 0 && (fi.Mode()&0010 == 0 || stat.Gid != DaemonGID) {
-			return fmt.Errorf(`%s %q is not executable by the "daemon" (gid: %d)" group`, file, path, DaemonGID)
+		if fi.Mode().IsDir() && fi.Mode()&1 == 0 && (fi.Mode()&0010 == 0 || stat.Gid != daemon.Gid) {
+			return fmt.Errorf(`%s %q is not executable by the %q (gid: %d)" group`, file, path, daemon.User, daemon.Gid)
 		}
-	} else if fi.Mode()&020 != 0 && stat.Gid != WheelGID {
-		return fmt.Errorf(`%s %q is group-writable and group is not "wheel" (gid: %d), but is gid: %d`,
-			file, path, WheelGID, stat.Gid)
+	} else if fi.Mode()&020 != 0 && stat.Gid != root.Gid {
+		return fmt.Errorf(`%s %q is group-writable and group is not %q (gid: %d), but is gid: %d`,
+			file, path, root.User, root.Gid, stat.Gid)
 	}
 	if fi.Mode()&002 != 0 {
 		return fmt.Errorf("%s %q is world-writable", file, path)

pkg/osutil/user.go

@@ -5,9 +5,69 @@ import (
 	"github.com/sirupsen/logrus"
 	"os/user"
 	"regexp"
+	"strconv"
 	"sync"
 )
 
+type User struct {
+	User  string
+	Uid   uint32
+	Group string
+	Gid   uint32
+}
+
+type Group struct {
+	Name string
+	Gid   uint32
+}
+
+var users map[string]User
+var groups map[string]Group
+
+func LookupUser(name string) (User, error) {
+	if users == nil {
+		users = make(map[string]User)
+	}
+	if _, ok := users[name]; !ok {
+		u, err := user.Lookup(name)
+		if err != nil {
+			return User{}, err
+		}
+		g, err := user.LookupGroupId(u.Gid)
+		if err != nil {
+			return User{}, err
+		}
+		uid, err := strconv.ParseUint(u.Uid, 10, 32)
+		if err != nil {
+			return User{}, err
+		}
+		gid, err := strconv.ParseUint(u.Gid, 10, 32)
+		if err != nil {
+			return User{}, err
+		}
+		users[name] = User{User: u.Username, Uid: uint32(uid), Group: g.Name, Gid: uint32(gid)}
+	}
+	return users[name], nil
+}
+
+func LookupGroup(name string) (Group, error) {
+	if groups == nil {
+		groups = make(map[string]Group)
+	}
+	if _, ok := groups[name]; !ok {
+		g, err := user.LookupGroup(name)
+		if err != nil {
+			return Group{}, err
+		}
+		gid, err := strconv.ParseUint(g.Gid, 10, 32)
+		if err != nil {
+			return Group{}, err
+		}
+		groups[name] = Group{Name: g.Name, Gid: uint32(gid)}
+	}
+	return groups[name], nil
+}
+
 const (
 	fallbackUser = "lima"
 )